Banking connection sticky to the interface

Hi

I have 2 links load balance on vyos 1.8. I have problems with internet bancking, even after “set load-balancing wan sticky connections inbound” Is there any additional configuration for this problem? Is something missing in my setup?

Thanks
Marco Aurelio

my config’s

 interfaces {
     ethernet eth0 {
         address 192.168.100.10/24
         description wan01
         duplex auto
         hw-id xx:xx:xx:xx:xx:xx
         smp_affinity auto
         speed auto
     }
     ethernet eth1 {
         address 192.168.90.254/24
         description lan
         duplex auto
         hw-id xx:xx:xx:xx:xx:xx
         smp_affinity auto
         speed auto
     }
     ethernet eth2 {
         address 192.168.200.10/24
         description wan02
         duplex auto
         hw-id xx:xx:xx:xx:xx:xx
         smp_affinity auto
         speed auto
     }
     loopback lo {
     }
 }
 load-balancing {
     wan {
         interface-health eth0 {
             failure-count 2
             nexthop 192.168.100.1
             success-count 1
             test 10 {
                 resp-time 5
                 target 8.8.8.8
                 ttl-limit 1
                 type ping
             }
         }
         interface-health eth2 {
             failure-count 2
             nexthop 192.168.200.1
             success-count 1
             test 10 {
                 resp-time 5
                 target 8.8.4.4
                 ttl-limit 1
                 type ping
             }
         }
         rule 10 {
             inbound-interface eth1
             interface eth0 {
                 weight 1
             }
             interface eth2 {
                 weight 1
             }
             protocol all
         }
         sticky-connections {
             inbound
         }
     }
 }
 nat {
     source {
         rule 1 {
             outbound-interface eth0
             source {
                 address 192.168.90.0/24
             }
             translation {
                 address masquerade
             }
         }
         rule 2 {
             outbound-interface eth2
             source {
                 address 192.168.90.0/24
             }
             translation {
                 address masquerade
             }
         }
     }
 }
 protocols {
     static {
         route 0.0.0.0/0 {
             next-hop 192.168.100.1 {
             }
             next-hop 192.168.200.1 {
             }
         }
     }
 }
 service {
     dns {
         forwarding {
             cache-size 0
             listen-on eth1
             name-server 8.8.8.8
             name-server 8.8.4.4
         }
     }
     ssh {
         port 22
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     console {
     }
     host-name vyos
     login {
         user vyos {
             authentication {
                 encrypted-password xxxxxxxxxxxx/xxxxxxxxxxx
                 plaintext-password ""
             }
             level admin
         }
     }
     ntp {
         server 0.pool.ntp.org {
         }
         server 1.pool.ntp.org {
         }
         server 2.pool.ntp.org {
         }
     }
     package {
         auto-sync 1
         repository community {
             components main
             distribution helium
             password ""
             url http://packages.vyos.net/vyos
             username ""
         }
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }

At a first glance nothing seems out of place. (Although the config is hard to follow due to lack of indentation.)

However what does it seem to be the issue? Is something not working properly?

(It would be helpful if you edit your initial post, by using code markers and keeping the indentation in the configuration, as it’s hard to read as it is.)

When accessing internet bank through load balance, (if it happens exchange ip address of the wan link) the session with the bank fails.

Regards

Well as one would put it “it works as designed”. :slight_smile:

However you can easily “exclude” some traffic from the WAN load-balancing:

set load-balancing wan rule 1 exclude
set load-balancing wan rule 1 protocol all
set load-balancing wan rule 1 inbound-interface <lan-interface>
set load-balancing wan rule 1 destination address <ip-address-range>

However as some other user observed sometimes determining the actual IP address range for a bank is a daunting task…

Therefore a better solution is to designate a particular IP in your LAN as “banking only”, and set an exception on that by using source instead of destination in the snippet above. (Then you can manually configure that IP while you are using your bank.)


Please note that if you have a more complex setup, that includes policy-based routing, then the WAN-load-balancing feature doesn’t work properly. You can consult the following post of mine that gives a “hacky” solution.

1 Like

Sorry´s :sweat_smile: I thought (set load-balancing wan sticky connections inbound) have the purpose to also staple connection of output always by the same link wan.

however your feedback (“exclude” some traffic from the WAN load-balancing) is the best for my case.

I had same problem, see my post

Had to completely remove load balancing and switch to outgoing traffic link failover with cron shell script. Built-in failover didn’t do everything I need.

Hi Linuks

I read your post researching on the question in the forum (same problem with me)
it would be interesting to describe how you solved your problem, in the old post you do not report the solution.

I solved it for a while, activating failover with more weight on the default interface, however this will sacrifice the load-balance.

Another alternative is to do as Ciprian suggests, (“exclude” some traffic from the WAN load-balancing) when I discover the ip range of the Bank

I had to switch to failover. Bank servers uses multiple IPs.
Another solution would be to exclude load-balancing based on local IPs of accounting department PCs.